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Abstract. Alloy is an increasingly popular lightweight specification lan- 
guage based on relational logic. Alloy models can be automatically ver- 
ified within a bounded scope using off-the-shelf SAT solvers. Since false 
assertions can usually be disproved using small counter-examples, this 
approach suffices for most applications. Unfortunately, it can sometimes 
lead to a false sense of security, and in critical applications a more tradi- 
tional unbounded proof may be required. The automatic theorem prover 
Prover9 has been shown to be particularly effective for proving theorems 
of relation algebras [7], a quantifier- free (or point-free) axiomatization 
of a fragment of relational logic. In this paper we propose a transla- 
tion from Alloy specifications to fork algebras (an extension of relation 
algebras with the same expressive power as relational logic) which en- 
ables their unbounded verification in Prover9. This translation covers 
not only logic assertions, but also the structural aspects (namely type 
declarations), and was successfully implemented and applied to several 
examples. 

1 Introduction 

The Alloy specification language [5] was created by following a different approach 
than the so called "classic" formal methods. It was built to be lightweight 9 and, 
instead of focusing on theorem proving, the emphasis is on automatic analysis. 
Alloy's underlying logic is a kind of relational logic, making it easier to write and 
read specifications without the need to learn complicated concepts. On the other 
hand, it is also influenced by object modeling languages, from which it inherits 
the navigational style and type hierarchy. As for the verification of the model, the 
Alloy Analyzer tool is provided, which automatically verifies the specifications 
within a bounded scope using off-the-shelf SAT solvers. 

However, sometimes bounded verification is not enough. In safety-critical 
systems, for instance, there is a need to make sure that the program is always 
correct, i.e., we must perform unbounded verification. The only way to do this is 
to mathematically prove that the specifications are correct. Since Alloy's basic 
elements are relations, relational logic provides a natural framework to reason 
about their specifications. Moreover, we believe that using a point-free (PF) no- 
tation, a style where there are no variables or quantifications, as opposed to 



point-wise (PW), provides a simpler framework where proofs can be carried out 
by simple equational steps (see e.g. [H]). Fork algebras are the point- free coun- 
terpart to relational logic. They extend the more traditional relation algebras 
with products in order to regain the expressiveness of relational logic, and will 
be our logic of choice to reason about Alloy specifications. 

Being as expressive as first-order logic, fork algebras are also undecidable: in 
principle this would restrict us to perform manual proofs, eventually assisted by 
interactive theorem provers. However, off-the-shelf automatic theorem provers 
(ATPs) are becoming increasingly efficient and are nowadays able to solve com- 
plex problems. Prover9 [14] is an ATP for first-order logic and equational logic. 
Studies have show that it is the most efficient off-the-shelf ATP to deal with 
relation algebras [2J, and it has been used to prove several properties about 
them 7 . Building on these results, we propose a framework for automatic un- 
bounded verification of Alloy specifications using Prover9. The key contribution 
of this framework is a translation from Alloy models into fork algebras, that 
covers not only logic assertions, but also other structural aspects of the model, 
such as type declarations. 

The next section briefly presents Alloy with an example. Sect. [3] presents 
fork algebras (assuming previous knowledge of relation algebras) and describes 
how relations with arbitrary arity can be represented in this formalism. Sect. [J] 
and [5] present the translation from Alloy models to fork algebras: the former 
focuses on formulas and the latter on the structural aspects. Sect. [5] describes 
the implementation of the translation, and presents the result of translating our 
running example. Sect. [7] discusses some related work, and Sect. [5] concludes the 
paper with some reflexions and suggestions for future work. 

2 Alloy 

We will briefly present the Alloy language by following a very simple example, a 
model of a university with students and the courses they have completed, which is 
presented in Fig.[TJ Roughly, an Alloy model is divided in two parts. The first, the 
signature declarations, defines the existing types and the relations between them. 
In our example, Student and Professor both extend the signature Person, 
inducing a type hierarchy. Person is also declared as abstract, meaning that 
there are no persons besides those contained in its sub-signatures. A particularity 
of Alloy relations is that they can have arbitrary arity. For instance, course is 
a ternary relation that, for a particular university, relates students with the 
courses they have completed. We can also attach multiplicities to signature and 
relation declarations. For example, the multiplicity some in relation lecturer 
forces that at least one professor is lecturing each course. The second part of the 
model consists of facts, that define constraints and properties of the model, and 
the assertions we want to verify. 

Predicates can be defined to be reused in facts and assertions. In our example, 
we define one predicate to model the invariant of the university (students with 
completed courses must be enrolled in the university, and to have completed a 



abstract sig Person -Q 

sig Student, Professor extends Person -Q 
sig Course { 

lecturer : some Professor, 

depends : set Course 

} 

sig University { 

enrolled : set Student , 
courses : Student -> Course 

} 

pred inv[u : University] { 

(u. courses) . Course in u. enrolled 

all s : Student I (s . (u. courses) ). *depends in s . (u. courses) 

} 

pred enroll [u, u' : University, s : Student] { 
u'. enrolled = u. enrolled + s 
u' . courses = u. courses 

y 

assert { 

all u,u' :Uni vers ity, s : Student I inv[u] and enroll [u,u' , s] => inv[u'] 

} 

Fig. 1. Alloy example 

course a student must also complete the courses it depends on), and another to 
model an operation which enrolls a new student to the university. The assertion 
to be verified in this case is that the invariant is preserved by the operation. 

In order to make translation of the Alloy models easier, we restrict the gram- 
mar to an essential core (see Appendix |A"]) , to which almost every other con- 
structions can trivially be reduced. 

3 Fork algebras 

Relational logic (RL) is a characterization of first-order logic (FOL) with rela- 
tional operators. Although it introduces different notations, RL is as expressive 
as FOL. If we remove all quantifiers (and variables) from RL, we obtain the cal- 
culus of relations (CR), a PF fragment of RL. In CR, formulas consist of boolean 
combinations of inequations, formulas of the form R C S. This calculus is ax- 
iomatized by relation algebras (RAs) (for a standard axiomatization see |12j). 
which however is not as expressive as RL (only to a fragment with 3 variables) . 

Fork algebras (FAs) [1] were created to overcome this expressiveness limita- 
tion. They extend CR by introducing pairing (products) to the base set of the 
algebra, and a new operator fork, denoted by V, and defined by (x, y) (KVS) z = 
x R z Ay S z. FAs are as expressive as RL and their axiomatization, an extension 
of RA, is the following. 



Definition 1 (Closure Fork Algebras). A fork algebra is an algebraic struc- 
ture 



where (U, U, PI, , _L, T, id, °) is a relation algebra and for all R, S,T,Q 6 U, 



The relations (idVT)° and (T\7id)° select the first and second element from a 
pair, and will be denoted by n\ and 7T2, respectively. An operator x that applies 
two relations in parallel can be defined as R x S = (wi ■ R)V(tt2 • S). 

3.1 Handling relations of arbitrary arity 

While in Alloy relations can have an arbitrary arity, FA is restricted to binary 
relations. As such, a mechanism must be devised to "binarize" arbitrary rela- 
tions. Unary relations (sets) can be represented in FA using coreflexives, i.e., 
fragments of the identity relation that filter elements of the given set. More pre- 
cisely, a unary relation R can represented by a coreflexive <Pr C id such that 
x E R iff x <Pr x. For n-ary relations with n > 2 a mechanism analogous to 
uncurrying can be used: an Alloy relation R : A\ —>•••• — > A n can be repre- 
sented by the binary relation R : A n x ■ • ■ x A^ — > A\ , whose domain is the 
nested product (associated to the right) of the last n — 1 columns of R. Domains 
and ranges appear reversed in the binary version to allow a direct encoding of 
composition: binary relations R : A — > B and S : B — > C can be composed in 
Alloy as R . S : A — > C using the dot join; by reversing domains and ranges, this 
expression can be directly translated to the FA composition R ■ S. Throughout 
the presentation, the binary representation of an n-ary Alloy relation R will be 
denoted as <Pr if n = 1 or just R if n > 1. We will often abuse the notion of 
arity and classify the binary version of an n-ary relation also as n-ary. Given a 
relation R its arity will be denoted by \R\. 

Notice that in Alloy composition is not limited to binary relations. For ex- 
ample, relations R : A\ — > ■ ■ ■ — >• A n and S : B\ — > ■ ■ ■ — > B m can be composed 
as R • S : A\ — > • • • — >• A n _i — > B 2 — > ■ ■ ■ — > B m , provided n + m > 2. In order to 
translate this directly it is convenient to have an n-ary composition operator in 
FA. Given two relations R and S, where R denotes a n-ary relation with n > 1, 
the composition of R after S will be denoted by R S, and defined as follows: 



(£7, u,n,-,J.,T,-, id, °,V> 



RVS = {{idVT) ■ R) n ((TVid) • S) 
(RVS)° ■ (TVQ) = (R° ■ T) n (5° • Q) 
(idVT)°V(TVi<i) C id 
R* = idU R* ■ R 



T • S ■ R* C T • S U (T • S n T • S ■ R) ■ R' 




R-S if n = 2 
i?.™- 1 (id x S) if n > 2 



It is trivial to show by induction that n-ary composition satisfies analogous 
properties to normal binary composition, in particular identity and associativity: 



R id = R A id » 2 R = R 

R (S « m T) = (R m n S) m n+m - 2 T 

These properties enable us to calculate directly with this operator without the 
the need to expand its definition. Composition with unary relations can be per- 
formed with normal binary composition since these are represented as binary 
corcflcxivcs. 

In an n-ary relation the notion of range and domain is somehow arbitrary: 
for example, given a ternary relation R : A — >• B — » C we may want to compose 
it via the middle column with a relation S : B — >• D. To allow this, we will define 
an operator to rotate a relation: given an n-ary relation R : A n x • • • x A2 — > A\ , 
its right- rotation will be denoted by it : A n _i x ••• x Ai — > A n and can be 
defined as 

l = xiz\ ■ (Rvxr'v . . . vx^r 

where (iZV...V5) represents the right-nested fork i?V(...V5)), and X™ se- 
lects the ith component of a right-nested n-ary tuple, according to the following 
definition: 

!id if n = i = 1 

7Ti if n > 1 A i = 1 

X™^ 1 • 7T2 if n > 1 A i > i 

Note that, when i? is a binary relation, R — R° . We will denote by R the 
application of the rotate k times. Likewise to n-ary composition, this operator 
satisfies some useful calculational properties, namely: 



R =R A S = S » |s| i? 



4 Translating Alloy formulas to FA 

While in RL variables can only be used in relation application, i.e member- 
ship testing, in Alloy they can be used as normal unary relations in relational 
formulas. For example, we can have the composition R.x.S, where x denotes a 
variable, and R and S arbitrary relational expressions. This feature makes the di- 
rect translation of Alloy formulas to FA quite difficult, since standard heuristics 
for variable elimination cannot be used. To overcome this problem, our approach 
is to first expand Alloy formulas to standard RL, where variables only appear 
applied to relations, and then use a RL to FA translation to remove the vari- 
ables. As will be seen in Sect. 14.31 this allows us to use powerful heuristics for 
variable elimination and output much simpler FA formulas. 
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Fig. 2. Translation from Alloy formulas to RL 



4.1 From Alloy formulas to RL 

Fig. [5] presents the translation of Alloy formulas to RL. Alloy formulas are 
boolean combinations of atomic formulas of shape some X or x in X, where X 
and Y denote Alloy relational formulas. The first set of rules in Fig. [5] introduces 
variables in order to convert these atomic formulas into relation applications of 
shape x G X, where x denotes a tuple of variables and X is still an Alloy rela- 
tional formula. The second set of rules expands these into boolean combinations 
of standard relation applications by computing the expected semantics of rela- 
tional operators. Moreover, variable occurrences are translated to equality tests 
(using the identity relation), and constant unary relations (denoting signatures) 
to the corresponding coreflexives that filter values of that type. 



4.2 From RL to FA 



The translation from RL to FA will be defined as a strategic rewriting pro- 
cess [TU]: basic rewrite rules are combined using strategic combinators in order 



to build powerful rewrite systems. We will use the following combinators: se- 
quence, a binary combinator denoted by >, which applies the second rule to the 
result of the first, if successful; choice, a binary combinator denoted by 0, which 
applies the first rule or, if it fails, applies the second; many, which applies a rule 
repetitively until it fails; and once, which applies a rule once somewhere inside 
a term. 

For example, we can easily define a strategy to eliminate universal quantifiers 
and implications as follows: 

4> =j> tjj ~* -i0 v ip (1) 

(Vz :: 4>) ~> -n(3z :: -n<j>) (2) 
(Vz : <f) : V) (Vz :: <t> => ip) (3) 

normalize = many (once |T]) once ([2]) once |3]0 

To distinguish arbitrary RL formulas from purely relational expressions, vari- 
ables <p, ip, . . . , will be used to denote the former, and variables R, S, . . . , to 
denote the latter. 

Intuitively, the translation of a normalized RL formula to an equivalent FA 
formula will proceed as follows: 

1. The formula will first be universally quantified over a fresh pair of special 
variables, denoted x and y, that will represent arbitrary output and input 
values, respectively. The following rule performs this transformation. 

insertVars = <j) ~* (Vx, y :: <j>) 

2. Together with quantifier elimination, all relation applications will iteratively 
be uniformed to operate on the same variables, so that boolean combinations 
of applications can be combined into a single application using the following 
simple strategy: 

uRv AuSv ~» u(RnS)v (4) 
uRvV uSv ~» u(RU S)v (5) 
-i(uRv)^uRv (6) 

aggregate = once ([4]) once (O once (O 

Here, u and v denote arbitrary variables or variable tuples. 

3. In the end we will obtain a single relational expression applied to the quan- 
tified special input and output variables. Those can then be eliminated by 
the following rule: 

dropVars = (Vu,t> :: uRv) ~~» R = T 



We will now detail the strategies for uniforming applications and existential 
quantifier elimination. 



Uniforming Applications. To simplify the presentation we will represent vari- 
ables by indices (similar to de Bruijn indices): existential quantifiers do not 
explicitly mention variable names and a quantified variable is referred to by the 
natural number that indexes the respective quantifier. For example, the formula 
(3 :: (3 :: 2 ill)) is equivalent to (3x% :: (3x2 X2RX1)). The depth of an ap- 
plication is the number of existential quantifiers that enclose it. The depth of a 
formula is the maximum depth of all applications. In the following presentation, 
n denotes the depth of the application that matches with the left hand side of a 
rewrite rule. 

To uniform the input of applications we generalize it to a tuple containing all 
existentially quantified variables at that depth, and use the selection operator 
to choose the desired variable: 

iRj = i(R-X?)(l,...,n) 

In order to keep the tuple of quantified variables only on the input side, 
a slightly different strategy is used to uniform the output, motivated by the 
following calculation: 

i (R ■ XJ) (1, . . . , n) = {3z :: zX? (1, . . . , n) A z (R ■ X 7 }) (1, . . . , n)) 
= (3z::z(X?n(R-X?))(l,...,n)) 
= (3z :: x T z A z (X? n (R ■ X^)) (1, . . . , n)) 

= x(T-(*f n(E •*;))) (i,...,n) 

The quantified (temporary) variable z is introduced to bind the output with the 
appropriate variable of the input tuple. The quantification is then eliminated 
by introducing an intersection, composing with T, and applying the resulting 
expression to the special variable x. A strategy to uniform applications at any 
given depth can thus be implemented as follows: 

uniform = once (i Rj w x (T • (XJ l n (R ■ X 1 }))) {!,..., n)) 

Although this strategy only covers applications to a single variable, it is rather 
straightforward to generalize it to applications to tuples of variables using forks 
of projections, as described in [TT] . 

Removing Existential Quantifiers. The strategy to remove existential quantifiers 
is similar to the one used above to remove the temporary quantifier. While n > 1, 
we compose the terms with the relation (id, T) on the right side to cut the right- 
most existential quantified variable from the input variable tuple: 

(3 :: xi? (1, . . . , n)) - x (R ■ (id, T» (1, . . . , n - 1) (7) 

If n = 1, the term is composed with T and applied to the special variable y: 



(3 :: xRl) ~^x(R- T)y 



(8) 



dropExists = once (0 once © 

Uniforming applications enables the application of strategy aggregate, reduc- 
ing all applications at the deepest level of the formula to a single application. 
This in turn allows strategy dropExists to remove one level of quantifiers, thus 
reducing the depth of the formula. These steps can be combined in the following 
strategy: 

shorten = uniform > aggregate > dropExists 

Finally, the translation from RL to FA iteratively shortens the depth of the 
formula until the external universally quantified variables can be dropped. 

translate = normalize > insertVars > many (dropVars shorten) 
4.3 Heuristic simplification 

An heuristic rewrite strategy can be defined to further simplify the resulting FA 
expressions. This simplification is based on two key ideas: the relaxation of the 
form of the resulting formula, which we now allow to be an inequation of the 
form R C S; and the use of additional relational operators in order to remove 
quantifiers. We will only present a simplified version of this strategy: the full set 
of rules included in the implementation can be found in 
The heuristic simplification strategy is defined as 

simplify = many (FOLrules definitions FArules) 

where 

— FOLrules performs several simplifications related to first-order logic. Es- 
sentially, it is the choice of rules like those presented in Table Q] applied 
once. Note that we present simplified versions of the rules. The implemented 
version considers the commutativity and associativity of logical operators. 
Since wc allow arbitrary inequations as result, this strategy also tries to push 
some expressions into the range of universal quantifiers, thus distributing the 
complexity of the formula between both sides of the inequation. 

— definitions applies definitions of relational operators in order to remove quan- 
tifiers. For example, it applies the definition of composition and converse in 
order to remove some existential quantifiers, according to the following rules: 

(3w :: u Rw A w S v) ~~» u (R ■ S) v 
(3w :: u Rw A v S w) u (R ■ S°) v 
(3w :: w Ru A w S v) ~> u (R° ■ S) v 

In particular, it introduces the n-ary composition operator introduced in 
Sect. EP1 whenever possible, by generalizing the rules above. Among others, 
we have the following rule: 

(3xi :: uR (xi, . . . , x n ) A x n S v) ^ u(R» n S) [x\, . . . , x n -i, v) 



Conjunction 


Disjunction 


Implication 


tp A true ip 
ip A false false 
tp A tp tp 
->(tp A cp) -w -up V -m£ 


V /aise ^ 
■0 V true ~> true 
1/) V tp tp 
-'(tp V cp) -up A -10 


—ttp V cp -n~> ?/) =>• 
/aise => i/> ~* true 
true ^ tp ^ tp 
tp ^ (cp ^ ip) (tp A cp) ^ (p 


Negation 


Quantifiers 


-i-if/i ~-» i/> 
-^true false 
-^false «-* free 


(Vu : tp : cp tp) (Vw : tp A cp : cp) 
(3u : tp : cp) ^ (3u :: tp A <p) 
(Vu : : (Vu : : cp)} (Vw, v : tp A (p : tp) 
(3u : tp : (3v : cp : ip)) ~~> (3u, « : tp A cp : tp) 



Table 1. FOL rules. 



Meet rules 


Join rules 


Complement rules 


AnA-^A 
AnT ^ A 
Anl"»i 
(AnB)° -» A° n B° 


AuA ~* A 

All ± A 
(AuB)° A°uB° 
An B ~> Au B 


R- s 

#\S ~> R° -S 
S <ZR~> R<Z S 

_r 


Converse rules 


Division rules 


Product rules 


R° U ~>R 
(R ■ S)° ~* S° -R° 
TCfl%TCU 
R° C _L RC ±_ 


R C S\T ^ S-RCT 
A.\R true 
R\T ~>* true 


7T? • i? (1 7T 2 ° ■ 5 (i?VS)> 

(J?VS)° • (AVB) -R° ■ 4 n S° ■ B 
(idVT) ■ i? ~» (i?VT ■ i?) 
OR-TriVS-Tra) ^ RxS 



Table 2. FA rules. 



Expressions similar to this one, but with x\ on a different position of the 
tuple are dealt with other rules, which resort to the rotate operator. Besides 
composition, we also introduce forks, complement, and other derived opera- 
tors characterized by powerful algebraic laws, such as the relational division 
operators. These are particularly interesting because they allow us to remove 
universal quantifiers, according to the following rules: 

(Viu : w Ru : w S v) ~» u R\S v 
(\fw : uRw : v S w) uR/Sv 

— FArules performs several simplifications related to FA operators. Among 
many others, it is the choice of all rules presented in Table [U applied once. 
These rules correspond to equations of the axiomatization of FA presented 
in Sect. [3] or can easily be derived from them. 

With this strategy we can redefine the translation from Alloy to FA as follows: 

translate = simplify > (dropVars (normalize > insertVars> 

many (dropVars (simplify > shorten)))) 

By applying the heuristic strategy we highly simplify the formula before the 
automatic translation kicks in. At this point, the expression might even be in 



a shape where variables can be dropped. Since it keeps the range in universal 
quantifiers, the dropVars strategy must be redefined as follows: 

dropVars = {(\/u,v :: uRv) ~+ R = T) ((Vu, v : u Rv : u S v) ~-> R C S) 
4.4 Translating the closures 

Translating the reflexive-transitive and transitive closures requires a slightly dif- 
ferent approach. In this section only the translation of the reflexive-transitive 
closure will be presented, but a similar translation can be applied to the re- 
flexive closure. Due to the closure type restrictions, our goal is to obtain an 
expression of the form: 

l(x, y) e *R] = (on, . . . , a k ,x) {translate*\{x, y) 6 R])* {ax,..., a k , y) (9) 

Where {a\ , . . . , a k ) are the k free variables occurring in R, with type A\ x • ■ • x A k . 
This operation "lifts" the variable applications from inside the closure, resulting 
in the following type transformation: 

R (ai, . . . , a k ) : A <— A translate*l(x, y) e R] : A\ . . . A k x A <— A\ . . . A k x A 

The resulting expression can then be processed by the standard PF transforma- 
tion already defined, where the variables will be dropped. 

The expansion of the inside expression by the [ ] operation results only in the 
introduction of boolean operators and existential quantifiers, which have to be 
removed in order to obtain the desired PF expression. The existential quantifi- 
cations may be removed by the definitions rule, which applies the composition 
or n-ary composition, associated with the reverse or rotate operators, to drop 
those variables. In order to obtain the wanted shape of input and output, we 
apply a rule similar to uniform, but with a tuple on each side instead: 

uniform* = many {once {ai Raj {a\, . . . , a n , x) {X™° ■ R ■ X") {a\, . . . ,a n ,y))) 

Once again, if a.j or aj are tuples, this transformation is generalized to forks of 
X projections. The rest of the boolean operators may then be removed by the 
aggregate rule already defined, by applying intersections, reunions and comple- 
ments. The translation is thus defined by: 

translate* = many {aggregate > definitions > uniform*) (10) 

5 Translating Alloy declarations to FA 

Besides translating Alloy formulas to FA we also need to express in this formal- 
ism other facts about an Alloy model, namely all the information concerning 
signature, relation and multiplicity declaration. 

Alloy signatures denote sets of atoms and thus will be represented by con- 
stant coreflexives. A sub-signature declaration induces an inclusion between its 



coreflexive and the super-signature coreflexive. Sub-signatures must also be pair- 
wise disjoint. If a signature is abstract, then its coreflexive is exactly the union 
of all the coreflcxives of its sub-signatures. Moreover, according to Alloy seman- 
tics, the identity relation is equal to the union of all the top-level signature 
coreflexives. 

A binary relation of type R :: A — >• B induces the fact R C <&b -T -<I>a- In case 
of n-ary relations, since we transform the domain into a product, the property 
can be generalized to R C <1>a 1 ■ T • <&a 2 x . . . &A n , for a relation R :: A\ — >■ 
■ ■ ■ — > A n . Notice that type reasoning can be easily performed using this kind 
of declaration. For instance, since the inclusion is monotone, for two relations 
R C <Pa ■ T • <S> B and S C <P C ■ T • <P D we have R ■ S C § A ■ T • <P B • @c • T • $d- 
Since for any coreflexives and \P we have <f • \P = <3> fl we see that the values 
that are composed are precisely the ones belonging to <Pb H<?c- In particular, if 
the signatures are disjoint we have R ■ S C _L as expected. 

Signature and relation multiplicities can be used to introduce many useful 
constraints in an Alloy model, without the need for additional facts. They can 
be directly expressed as FA properties, thus avoiding the need to be formulated 
in RL and processed by the default transformation. For example, a signature A 
constrained by multiplicity some induces the property T C T-^-T involving its 
coreflexive. The following calculation makes evident why this formula expresses 
the desired meaning: 



A similar calculation allows us to deduce that a signature A constrained by mul- 
tiplicity lone can be represented the property <Pa'~^ -&a C id. If the multiplicity 
is one we just generate both facts. 

Concerning relations, each multiplicity in a declaration will be treated sep- 
arately and will induce a different FA property. A lone in the last column of a 
relation declaration (for example, R : A — > lone B) can be represented by the 
property R° ■ R C id, as justified by the following calculation: 



If the lone multiplicity appears in a column other than the last, we can just 
apply the rotate operator in combination with the above property. In general, 
given a lone in the ith column we have the following equivalent property: 



TCT-*a-Te(Vi,!/ 



x T y => x (T • <P A ■ T) y) 

true => (3z, w :: x T z A z&a w A w T y)) 

(3z, w :: true Az^mA true)) 

Z <S>A U>) 



= (Vx, y 
= (Vx, y 
= (3z,w 



R° ■ RCid= (Vx,y :: x (R° -R)y^xidy) 

= (Vx, y :: (3z :: x R° z A z Ry) =>• x = y) 
= (Vx, y :: (3z :: zRx A z Ry) => x = y) 



(\R\-i)^° (|fl|-i)-v 
R ■ R 



C id 



A similar reasoning can be applied to the some multiplicity. If the ith field is 
marked with this multiplicity we generate the following property: 

(|H|-i)-> (\R\-i)^° 
idC R ■ R 

Likewise to signatures, if the multiplicity is one we generate both facts. 

6 Implementation and example 

The translations defined in Sects. [4] and [5] were implemented in a tool that 
transforms Alloy models into FA inequations ready to be proved by Prover9. The 
tool is divided in three parts: first Alloy models are parsed and translated to RL; 
then the RL models are transformed to FA; lastly the FA model is embedded 
into Prover9. 

All the translations were implemented in the functional language Haskell. 
Parsing of the Alloy model is performed by resorting to the parser generator 
Happy [13] . The model is then transformed to fit the restricted grammar defined 
in Appendix^ Finally, by applying the rules defined in Fig.[2]and the properties 
induced by the signatures defined in Sect. Owe obtain the RL model. 

In order to implement the translation from RL to FA, defined in Sect. [U 
a generic RL strategic rewriter was implemented, allowing an effective way to 
manipulate formulas by defining rules and strategies. As such, once the needed 
RL rules were defined, we were able to define not only the translation from 
PW to PF, with several variants, but also its reverse, from PF to PW. The 
facts and the properties induced by the signature declarations are passed on 
as the environment of the other translations. Finally, although this tool was 
implemented with Alloy in mind, a mode for directly translating RL formulas 
to FA is also provided. 

The output of the translation is a step-by-step RL to FA translation along 
with the final FA model, pretty-printed in P/Tj^X. In Fig. [3]the translation of the 
example Alloy model in Fig. Q] is presented. For space reasons, in the assertion 
we abbreviate signature and relation names to the first letter and denote by Ri 
the term (Xf° ■ R). This FA model can now be passed to Prover9. To prove 
theorems in Prover9, it is necessary to define useful valid axioms and lemmas for 
the particular context. In order to efficiently verify Alloy models, useful relational 
and FA properties were defined. In particular, the assertion in our example model 
was automatically verified by Prover9. 

7 Related work 

Little work has been done concerning unbounded verification of Alloy specifi- 
cations. Arkoudas et al. PQ have developed a tool, Prioni, which provides the 
axiomatization of the RL of Alloy to Athena [17], a type-w denotational proof 
language. However, this translation is made to a first-order logic, and thus the 



id — Person U Course U & University 

^Student U ^Professor ^ Person A ^Student H & Professor ~ -L 

ledurer C <P Course • T ■ ^Professor 

enrolled C $ University ■ T ■ <P Student 

COUrSeS C University ' T • $ Student X $ Course 

depends C ^course • T ■ $ 

Course 

id C lecturer ■ lecturer 
{$u x$u x <P S ) n d/(ei ■ tti) n (ci ■ (# s x d*°))/ci 

n 

Ci / C2 n C2 / ci n ei / e2 n e2 • 7T2 • 7T2 Pi e2 / ( ei U 1^3 ) 

c 

C2/(e 2 • 7ri) n (c 2 ■ (<£s x d*°))/c 2 
Fig. 3. Example model translated to FA 

relational flavor of Alloy is lost. Frias et al. defined a translation of Alloy formu- 
las to FA [5], from which the initial inspiration for our translation was drawn. 
They then extended the PVS [16] language to support FA, and used it to verify 
Alloy specifications [B]. Later, the same team extended the FA so that it sup- 
ports first-order quantifiers, making it more friendly for Alloy users [3]. They 
also presented a tool, DYNAMITE, which provides interaction between PVS and 
Alloy Analyzer. A significant methodological difference to our work is that, in 
both these works, the focus was not on automatic verification but on manual 
proofs assisted by a theorem prover. 

Although initially inspired by [5], our translation results in much simpler 
expressions and ends up having very few similarities with it. We also convert the 
input of the relations to a tuple containing all quantified variables, from which 
the desired variable is then selected. However, the way this goal is achieved 
differs significantly from the original. In [5] all variable occurrences were directly 
translated to a corefiexive which forced the input to take the value of the desired 
variable. Like has been presented, we expand the Alloy terms to RL, in order to 
be able to completely remove the variables by applying some simple FA rules. 
Other restrictions that highly increase the complexity of the initial translation 
were lifted in our translation, like imposing every formula to be of the shape 
T = R and enforcing that shape on the inner terms. For comparison purposes, 
consider the following Alloy formula: 

all a : A I some b : B I a in R.b kk a in S.b 

Applying the translation defined in [5] results in the following formula: 



T • p((id, 7T 2 • <f))) ■ (TTI • 7Tl , 7T2 • 7Tl,7r 2 , T) • (7Tl, 7T 2 , T) • {id, T) • T = T 



where 



<f) = id x T n S(tt 2 ■ 7Ti (~1 7r 2 ) n p(id x R ■ §{-k\ ■ ttj f~l ir 2 )) Hid x Tn 

<5(7T 2 • 7Tl fl 7T 2 ) n p(id X S" • 5(lli ■ 7Tl fl 7T 2 )) Hid X T 

and p and <5 compute the domain and range of a relation, respectively (as a core- 
flexive). On the other hand, our translation (without the heuristic simplification) 
results in 

T C (T • (tti n R ■ tt 2 ) n T • (tti n S ■ tt 2 )) • (id, T) • T 

and with the heuristics just in id C R° ■ S. In fact, the resulting expressions were 
so complex that the approach proposed in [5] was abandoned by the authors 
in [3] . Another improvement from their work is that we consider the whole Alloy 
model, including all type information from declarations, while they consider only 
the translation of the formulas. A feature of the approach presented in [5] from 
which we drew inspiration is the definition of the n-ary composition operator. 

Using Prover9 to verify relational models was already proposed in [7J. How- 
ever, since they use only RA, their expressiveness power is limited to a 3 vari- 
able fragment of RL. A significant difference occurs in the way the types are 
represented. While they use vectors to represent sets, and thus types, we use 
coreflexives. This change is motivated by our belief that coreflexives are more 
amenable to calculation. They also did not propose a translation from Alloy to 
RA and assume the model is already defined in this formalism. 

8 Conclusions 

We have presented a framework for unbounded verification of Alloy specifications 
with the automatic theorem prover Prover9. The key ingredient of this frame- 
work is a translation from Alloy models into FA, a point-free characterization of 
relational logic. This translation greatly improves a previously existent one, by 
proposing a different translation strategy and using heuristics to further simpli- 
fies the results. It also covers the structural aspects of the model, namely type 
declarations. These improvements made proof automation with Prover9 viable. 

The translation was fully implemented and tested on several examples with 
complexity similar to our running example. On all these Prover9 was able to 
automatically verify the assertions. However, in order to scale this approach to 
bigger case-studies some additional work is still needed to find the appropriate 
set of axioms to be included in Prover9. The main problem concerns the ubiqui- 
tous use in Alloy models of relations with arity bigger than 2, and thus we are 
currently searching for more useful laws characterizing the operators introduced 
in Sect. IQ 

Although Prover9 was used to discharge the proofs, the translation presented 
is generic and not bound to it. For instance, since our translation provides much 
simpler results than the one from [5], it could be interesting to use it as a 
replacement in order to increase the performance of the underlying proof system. 
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A Grammar for a fragment of Alloy 



Model := Paragraph* 

Paragraph := Sig I Fact I Assert 



Sig 

Fact 

Assert 

Rel 

Mult 

Form 



Exp 



[Mult] fabstract7 sig Id /"extends Id] {Rel*} 
fact {Form} 
assert {Form} 



[Mult] Id I 
some / one / 
Exp in Exp 
Form && Form 
! Form 
all Id : 
some Exp I 
Id 
iden 
none 
univ 

Exp 
Exp . Exp 
Exp k Exp 
Exp + Exp 
Exp - Exp 
Exp -> Exp 
< : Exp 
:> Exp 



[Mult] Id -> 
lone / set 



Rel 



Exp I Form 
I lone Exp 



Exp 
Exp 



Exp 



■ relation identifier 

identity relation 

empty relation 

universe 

transposition 
• composition 

- intersection 

- union 

- difference 

- cartesian product 

- domain restriction 

- range restriction 
reflexive-transitive closure 



